Nearly half of federal agencies miss DHS email security deadline

A recent report found that only half of federal agencies have implemented DHS's DMARC requirements by the deadline, leaving the other half vulnerable to malicious emails. (Imilian)

Despite Department of Homeland Security efforts to get federal agencies on track for securing their email servers against malicious messages, nearly half of agencies failed to meet a Jan. 15 deadline to do just that.

The day after a Department of Homeland Security directive required all agencies to implement a basic Domain-based Message Authentication, Reporting and Conformance, or DMARC, policy for their email systems, just over half have actually done so, according to a Jan. 16 ValiMail report.

The DHS directive mandated that federal agencies at least implement a DMARC policy of p=none, which allows the email domain owners to receive reports of unauthorized messages sent through the domain.

As of Dec. 18, 2017, only 47 percent of agencies had a DMARC policy, according to a previous Agari report. According to the ValiMail report, an additional 7.7 percent of agencies made the push to get their email domain systems compliant, bringing the federal total to 54.7 percent.

“The federal government now has a higher rate of DMARC deployment than almost any commercial sector we’ve looked at, including the Fortune 500 (34 percent), major U.S. banks (32 percent), and even Crunchbase ‘unicorns’ [a leaderboard for private companies valued at $1 billion or more] (31 percent),” the ValiMail report said.

“We predict that the vast majority of the government’s domains will have DMARC records within the next few months, even if they do miss this first deadline.”

By October 2018, federal agencies will be required to institute a more strict p=reject policy for their email domains, which automatically rejects email messages that fail authentication.

“It’s a good sign that more than half of the federal government’s domains now have DMARC records. We’re optimistic that the vast majority of domains will have DMARC within the next few months,” the ValiMail report said.

“Then it’s on to the next challenge — getting to enforcement, which is the point at which DMARC actually starts protecting agencies from fraudulent emails by blocking unauthorized senders. That won’t be an easy journey, but it too is eminently achievable within the next nine months.”